UK law introduces life sentence for cybercriminals

The Computer Misuse Act 1990 is to be amended to make sure that hackers that launch serious
attacks, such as those on critical infrastructure, could face life
imprisonment.

The Act sits under the Serious Crime Bill. In general, it
outlines offences associated with hacking and associated tools
(malware) that let computer systems be breached.

At the moment the offences outlines do not really account for a
type of cyberattack that might be life threatening or pose a risk
to national security. Section 1 of the act makes unauthorised
access to computer material or a person's user ID and password an
offence. A Section 2 offence -- which is slightly more serious --
relates to committing further crimes after gaining unauthorised
access to someone's computer, for example stealing their money or
using information found on their system to blackmail them. Section
3 offences include spreading viruses, deleting files, using Trojans
to steal data or mounting a denial of service attack. The maximum
sentence for these offences is ten years for Section 3
offences.

The proposed Serious Crime Bill, which was announced in the Queen's
Speech this week, includes the addition of a new offence under the Computer Misuse Act, which is
"unauthorised acts causing serious damage".

The new offence relates to the most serious cyber attacks, such
as those targeting essential systems such as power supply,
communications, food or fuel distribution. These attacks are ones
that could result in loss of life, serious injury, social
disruption or damage to the economy, environment or national
security. A "significant link to the UK" is required -- so either
the accused or the target computer at the time of the offence or
the damage cause has to be in the UK, and the accused must have
intended to cause serious damage.

This new offence is more serious than section 3 offences and the
sentencing reflects this: if the attack results in a loss of life,
serious illness or injury or serious damage to national security
then the accused faces life imprisonment. If the attack results in
serious economic or environmental damage or social disruption, the
maximum sentence is 14 years.

The Bill also features a couple of changes to make sure that UK
law is brought in line with European law, following the adoption of
a directive relating to cybersecurity in August 2013.

In implementing the EU Directive on Attacks Against Information Systems, the bill
now makes it an offence for individuals to obtain tools such as
malware with the intention to commit cybercrime personally.
Furthermore there is a provision to extend the jurisdiction of UK
law enforcement to allow it to take action against UK citizens
committing cybercrime offences while physically outside of the UK
on nationality alone.

Changes to the Serious Crime Act will also see the possession
and creation of "paedophile manuals" become a criminal offence.
It's currently against the law to possess indecent images of
children, but there is no existing offence of owning manuals that
offer advice on how to groom or abuse children sexually.

The amendments should be introduced through the Serious Crime
Bill in June 2014.